$ oc new-project my-namespace
Create and manage seccomp profiles and bind them to workloads.
The Security Profiles Operator supports only Red Hat Enterprise Linux CoreOS (RHCOS) worker nodes. Red Hat Enterprise Linux (RHEL) nodes are not supported. |
Use the SeccompProfile
object to create profiles.
SeccompProfile
objects can restrict syscalls within a container, limiting the access of your application.
Create a project by running the following command:
$ oc new-project my-namespace
Create the SeccompProfile
object:
apiVersion: security-profiles-operator.x-k8s.io/v1beta1
kind: SeccompProfile
metadata:
namespace: my-namespace
name: profile1
spec:
defaultAction: SCMP_ACT_LOG
The seccomp profile will be saved in /var/lib/kubelet/seccomp/operator/<namespace>/<name>.json
.
An init
container creates the root directory of the Security Profiles Operator to run the Operator without root
group or user ID privileges. A symbolic link is created from the rootless profile storage /var/lib/openshift-security-profiles
to the default seccomp
root path inside of the kubelet root /var/lib/kubelet/seccomp/operator
.
Create a pod to apply one of the created profiles.
Create a pod object that defines a securityContext
:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: Localhost
localhostProfile: operator/my-namespace/profile1.json
containers:
- name: test-container
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
View the profile path of the seccompProfile.localhostProfile
attribute by running the following command:
$ oc -n my-namespace get seccompprofile profile1 --output wide
NAME STATUS AGE SECCOMPPROFILE.LOCALHOSTPROFILE
profile1 Installed 14s operator/my-namespace/profile1.json
View the path to the localhost profile by running the following command:
$ oc get sp profile1 --output=jsonpath='{.status.localhostProfile}'
operator/my-namespace/profile1.json
Apply the localhostProfile
output to the patch file:
spec:
template:
spec:
securityContext:
seccompProfile:
type: Localhost
localhostProfile: operator/my-namespace/profile1.json
Apply the profile to any other workload, such as a deployment
object, by running the following command:
$ oc -n my-namespace patch deployment myapp --patch-file patch.yaml --type=merge
deployment.apps/myapp patched
Confirm the profile was applied correctly by running the following command:
$ oc -n my-namespace get deployment myapp --output=jsonpath='{.spec.template.spec.securityContext}' | jq .
{
"seccompProfile": {
"localhostProfile": "operator/my-namespace/profile1.json",
"type": "localhost"
}
}
You can use the ProfileBinding
resource to bind a security profile to the SecurityContext
of a container.
To bind a pod that uses a quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
image to the example SeccompProfile
profile, create a ProfileBinding
object in the same namespace with the pod and the SeccompProfile
objects:
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileBinding
metadata:
namespace: my-namespace
name: nginx-binding
spec:
profileRef:
kind: SeccompProfile (1)
name: profile (2)
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21 (3)
1 | The kind: variable refers to the kind of the profile. |
2 | The name: variable refers to the name of the profile. |
3 | You can enable a default security profile by using a wildcard in the image attribute: image: "*" |
Using the |
Label the namespace with enable-binding=true
by running the following command:
$ oc label ns my-namespace spo.x-k8s.io/enable-binding=true
Define a pod named test-pod.yaml
:
apiVersion: v1
kind: Pod
metadata:
name: test-pod
spec:
containers:
- name: test-container
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
Create the pod:
$ oc create -f test-pod.yaml
If the pod already exists, you must re-create the pod for the binding to work properly. |
Confirm the pod inherits the ProfileBinding
by running the following command:
$ oc get pod test-pod -o jsonpath='{.spec.containers[*].securityContext.seccompProfile}'
{"localhostProfile":"operator/my-namespace/profile.json","type":"Localhost"}
The Security Profiles Operator can record system calls with ProfileRecording
objects, making it easier to create baseline profiles for applications.
When using the log enricher for recording seccomp profiles, verify the log enricher feature is enabled. See Additional resources for more information.
A container with |
Create a project by running the following command:
$ oc new-project my-namespace
Label the namespace with enable-recording=true
by running the following command:
$ oc label ns my-namespace spo.x-k8s.io/enable-recording=true
Create a ProfileRecording
object containing a recorder: logs
variable:
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
namespace: my-namespace
name: test-recording
spec:
kind: SeccompProfile
recorder: logs
podSelector:
matchLabels:
app: my-app
Create a workload to record:
apiVersion: v1
kind: Pod
metadata:
namespace: my-namespace
name: my-pod
labels:
app: my-app
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: nginx
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
ports:
- containerPort: 8080
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
- name: redis
image: quay.io/security-profiles-operator/redis:6.2.1
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
Confirm the pod is in a Running
state by entering the following command:
$ oc -n my-namespace get pods
NAME READY STATUS RESTARTS AGE
my-pod 2/2 Running 0 18s
Confirm the enricher indicates that it receives audit logs for those containers:
$ oc -n openshift-security-profiles logs --since=1m --selector name=spod -c log-enricher
I0523 14:19:08.747313 430694 enricher.go:445] log-enricher "msg"="audit" "container"="redis" "executable"="/usr/local/bin/redis-server" "namespace"="my-namespace" "node"="xiyuan-23-5g2q9-worker-eastus2-6rpgf" "pid"=656802 "pod"="my-pod" "syscallID"=0 "syscallName"="read" "timestamp"="1684851548.745:207179" "type"="seccomp"
Remove the pod:
$ oc -n my-namepace delete pod my-pod
Confirm the Security Profiles Operator reconciles the two seccomp profiles:
$ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace
NAME STATUS AGE
test-recording-nginx Installed 2m48s
test-recording-redis Installed 2m48s
By default, each container instance records into a separate profile. The Security Profiles Operator can merge the per-container profiles into a single profile. Merging profiles is useful when deploying applications using ReplicaSet
or deployment
objects.
Edit a ProfileRecording
object to include a mergeStrategy: containers
variable:
apiVersion: security-profiles-operator.x-k8s.io/v1alpha1
kind: ProfileRecording
metadata:
# The name of the Recording is the same as the resulting SeccompProfile CRD
# after reconciliation.
name: test-recording
namespace: my-namespace
spec:
kind: SeccompProfile
recorder: logs
mergeStrategy: containers
podSelector:
matchLabels:
app: sp-record
Label the namespace by running the following command:
$ oc label ns my-namespace security.openshift.io/scc.podSecurityLabelSync=false pod-security.kubernetes.io/enforce=privileged pod-security.kubernetes.io/audit=privileged pod-security.kubernetes.io/warn=privileged --overwrite=true
Create the workload with the following YAML:
apiVersion: apps/v1
kind: deployment
metadata:
name: nginx-deploy
namespace: my-namespace
spec:
replicas: 3
selector:
matchLabels:
app: sp-record
template:
metadata:
labels:
app: sp-record
spec:
serviceAccountName: spo-record-sa
containers:
- name: nginx-record
image: quay.io/security-profiles-operator/test-nginx-unprivileged:1.21
ports:
- containerPort: 8080
To record the individual profiles, delete the deployment by running the following command:
$ oc delete deployment nginx-deploy -n my-namespace
To merge the profiles, delete the profile recording by running the following command:
$ oc delete profilerecording test-recording -n my-namespace
To start the merge operation and generate the results profile, run the following command:
$ oc get seccompprofiles -lspo.x-k8s.io/recording-id=test-recording -n my-namespace
NAME STATUS AGE
test-recording-nginx-record Installed 55s
To view the permissions used by any of the containers, run the following command:
$ oc get seccompprofiles test-recording-nginx-record -o yaml